@lanonasis/oauth-client 2.0.0 → 2.0.4

package/README.md

@@ -1,16 +1,32 @@
 # @lanonasis/oauth-client
 
-Drop-in OAuth + API Key authentication client for the Lanonasis ecosystem. Supports dual authentication modes: OAuth2 PKCE flow for pre-registered clients and direct API key authentication for dashboard users. Handles browser/desktop/terminal flows, token lifecycle, secure storage, and MCP WebSocket/SSE connections.
+**THE single authentication package** for the Lanonasis ecosystem. Consolidates all auth patterns: OAuth2 PKCE, API keys, magic links, React hooks, and Express middleware.
+
+> **v2.0**: Now includes `/react` and `/server` exports! Migrating from `@lanonasis/shared-auth`? See [Migration Guide](#migration-from-lanonasisshared-auth).
 
 ## Features
-- **Dual Authentication**: OAuth2 PKCE flow OR direct API key authentication
-- OAuth flows for terminal and desktop (Electron-friendly) environments
-- API key authentication for new users with dashboard-generated keys
-- Token storage with secure backends (Keytar, encrypted files, Electron secure store, mobile secure storage, WebCrypto in browsers); browser builds auto-use web storage
-- API key storage that normalizes to SHA-256 digests before persisting
-- MCP client that connects over WebSocket (`/ws`) or SSE (`/sse`) with auto-refreshing tokens
-- Automatic auth mode detection based on configuration
-- ESM + CJS bundles with a dedicated browser export to avoid Node-only deps
+
+### Core Authentication
+- **OAuth2 PKCE Flow**: Terminal and desktop (Electron) environments
+- **API Key Authentication**: Dashboard-generated keys for instant access
+- **Magic Link / OTP Flow**: Passwordless email authentication
+- **Token Storage**: Secure backends (Keytar, encrypted files, WebCrypto)
+
+### React Integration (`/react`)
+- **`useSSO()`**: React hook for SSO authentication state
+- **`useSSOSync()`**: Cross-subdomain session synchronization
+- **Cookie utilities**: `parseUserCookie`, `hasSessionCookie`, `clearUserCookie`
+
+### Server Integration (`/server`)
+- **`requireAuth()`**: Express middleware enforcing authentication
+- **`optionalAuth()`**: Attach user if authenticated, allow anonymous
+- **`requireRole(role)`**: Role-based access control middleware
+- **Cookie parsing**: `getSSOUserFromRequest`, `getSessionTokenFromRequest`
+
+### Additional Features
+- MCP client (WebSocket/SSE) with auto-refreshing tokens
+- ESM + CJS bundles with dedicated browser export
+- TypeScript types included
 
 ## Installation
 ```bash
@@ -76,6 +92,82 @@ const flow = new DesktopOAuthFlow({
 const tokens = await flow.authenticate();
 ```
 
+### Magic Link / OTP Flow (Passwordless)
+```ts
+import { MagicLinkFlow } from '@lanonasis/oauth-client';
+
+const flow = new MagicLinkFlow({
+  authBaseUrl: 'https://auth.lanonasis.com'
+});
+
+// Send OTP to user's email
+await flow.sendOTP('user@example.com');
+
+// User enters the code they received
+const tokens = await flow.verifyOTP('user@example.com', '123456');
+```
+
+### React Hooks (`/react`)
+```tsx
+import { useSSO, useSSOSync } from '@lanonasis/oauth-client/react';
+
+function MyComponent() {
+  const { user, isAuthenticated, isLoading, error } = useSSO({
+    authGatewayUrl: 'https://auth.lanonasis.com',
+    projectScope: 'my-app'
+  });
+
+  if (isLoading) return <div>Loading...</div>;
+  if (!isAuthenticated) return <div>Please log in</div>;
+
+  return <div>Hello, {user.email}!</div>;
+}
+
+// For cross-subdomain session sync
+function App() {
+  useSSOSync({ pollInterval: 30000 });
+  return <MyComponent />;
+}
+```
+
+### Server Middleware (`/server`)
+```ts
+import express from 'express';
+import {
+  requireAuth,
+  optionalAuth,
+  requireRole,
+  getSSOUserFromRequest
+} from '@lanonasis/oauth-client/server';
+
+const app = express();
+
+// Require authentication
+app.get('/api/profile', requireAuth(), (req, res) => {
+  res.json({ user: req.user });
+});
+
+// Optional authentication (attach user if present)
+app.get('/api/public', optionalAuth(), (req, res) => {
+  if (req.user) {
+    res.json({ message: `Hello ${req.user.email}` });
+  } else {
+    res.json({ message: 'Hello guest' });
+  }
+});
+
+// Role-based access control
+app.delete('/api/admin/users/:id', requireAuth(), requireRole('admin'), (req, res) => {
+  // Only admins can reach here
+});
+
+// Manual user extraction
+app.get('/api/check', (req, res) => {
+  const user = getSSOUserFromRequest(req);
+  res.json({ authenticated: !!user });
+});
+```
+
 ### Token storage
 ```ts
 import { TokenStorage } from '@lanonasis/oauth-client';
@@ -85,15 +177,20 @@ await storage.store(tokens);
 const restored = await storage.retrieve();
 ```
 
-### API key storage (hashes to SHA-256)
+In Node and Electron environments, secure storage now lazy-loads `keytar` so the ESM bundle can still use the native OS keychain when available. If native keychain access is unavailable, storage falls back to the encrypted local file backend automatically.
+
+### API key storage
 ```ts
 import { ApiKeyStorage } from '@lanonasis/oauth-client';
 
 const apiKeys = new ApiKeyStorage();
 await apiKeys.store({ apiKey: 'lns_abc123', environment: 'production' });
-const hashed = await apiKeys.getApiKey(); // returns sha256 hex digest
+const apiKey = await apiKeys.getApiKey(); // returns the original key for outbound auth headers
 ```
 
+Node/Electron secure storage preserves the original secret value so clients can send it back
+in `X-API-Key` or `Authorization` headers when talking to remote services.
+
 ## Configuration
 
 ### API Key Mode
@@ -116,10 +213,11 @@ const hashed = await apiKeys.getApiKey(); // returns sha256 hex digest
 - The terminal/device code flow remains Node-only; in browser previews use API key or desktop flow.
 
 ## Publishing (maintainers)
-1) Build artifacts: `npm install && npm run build`
-2) Verify contents: ensure `dist`, `README.md`, `LICENSE` are present.
-3) Publish: `npm publish --access public` (registry must have 2FA as configured).
-4) Tag in git (optional): `git tag oauth-client-v1.0.0 && git push --tags`
+1) Install and verify: `npm install && npm test && npm run build`
+2) Audit release deps: `bun audit`
+3) Verify contents: ensure `dist`, `README.md`, and `LICENSE` are present.
+4) Publish: `npm publish --access public` (registry must have 2FA as configured).
+5) Tag in git (optional): `git tag oauth-client-vX.Y.Z && git push --tags`
 
 ## Files shipped
 - `dist/*` compiled CJS/ESM bundles + types
@@ -145,5 +243,56 @@ This SDK implements client-side equivalents of the auth-gateway's authentication
 
 See [auth-gateway/AUTHENTICATION-METHODS.md](../../apps/onasis-core/services/auth-gateway/AUTHENTICATION-METHODS.md) for complete server-side documentation.
 
+## Exports
+
+| Export | Description | Use Case |
+|--------|-------------|----------|
+| `@lanonasis/oauth-client` | Main entry - OAuth flows, MCP client, storage | Node.js CLI, servers |
+| `@lanonasis/oauth-client/browser` | Browser-safe bundle (no Node deps) | Web apps, SPAs |
+| `@lanonasis/oauth-client/react` | React hooks + browser cookie utils | React/Next.js apps |
+| `@lanonasis/oauth-client/server` | Express middleware + server cookie utils | Express/Node servers |
+
+## Migration from @lanonasis/shared-auth
+
+`@lanonasis/shared-auth` is now **deprecated**. All functionality has been consolidated into `@lanonasis/oauth-client`.
+
+### Import Changes
+
+```typescript
+// ❌ BEFORE (deprecated)
+import { useSSO, useSSOSync } from '@lanonasis/shared-auth';
+import { getSSOUserFromRequest } from '@lanonasis/shared-auth/server';
+
+// ✅ AFTER (recommended)
+import { useSSO, useSSOSync } from '@lanonasis/oauth-client/react';
+import { getSSOUserFromRequest, requireAuth } from '@lanonasis/oauth-client/server';
+```
+
+### Package.json Changes
+
+```json
+{
+  "dependencies": {
+    // ❌ Remove
+    "@lanonasis/shared-auth": "^1.x.x",
+
+    // ✅ Add/Update
+    "@lanonasis/oauth-client": "^2.0.0"
+  }
+}
+```
+
+### New Middleware (Bonus!)
+
+The migration gives you access to new middleware that wasn't in shared-auth:
+
+```ts
+import { requireAuth, optionalAuth, requireRole } from '@lanonasis/oauth-client/server';
+
+// These are new! Replace manual auth checks
+app.get('/api/protected', requireAuth(), handler);
+app.delete('/api/admin/*', requireAuth(), requireRole('admin'), handler);
+```
+
 ## License
 MIT © Lan Onasis

package/dist/{api-key-storage-web-J3W8nQi2.d.cts → api-key-storage-web-DUyiN9mC.d.cts}

@@ -106,7 +106,8 @@ declare class TokenStorage implements TokenStorageAdapter {
     private readonly storageKey;
     private readonly webEncryptionKeyStorage;
     private keytar;
-    constructor();
+    private keytarLoadAttempted;
+    private getKeytar;
     store(tokens: TokenResponse): Promise<void>;
     retrieve(): Promise<TokenResponse | null>;
     clear(): Promise<void>;
@@ -182,8 +183,9 @@ declare class ApiKeyStorage {
     private readonly legacyConfigKey;
     private readonly webEncryptionKeyStorage;
     private keytar;
+    private keytarLoadAttempted;
     private migrationCompleted;
-    constructor();
+    private getKeytar;
     /**
      * Initialize and migrate from legacy storage if needed
      */
@@ -235,8 +237,12 @@ declare class ApiKeyStorage {
     private base64Encode;
     private base64Decode;
     /**
-     * Normalize API keys to a SHA-256 hex digest.
-     * Accepts pre-hashed input and lowercases it to prevent double hashing.
+     * Normalize stored credentials without transforming their value.
+     *
+     * These secrets are stored in encrypted local storage/keychains and must remain
+     * usable for outbound authentication headers (for example X-API-Key or Bearer).
+     * Hashing here would make the original credential unrecoverable and break
+     * clients that need to send the raw key/token back to a remote service.
      */
     private normalizeApiKey;
 }
@@ -257,4 +263,4 @@ declare class ApiKeyStorageWeb {
     private base64Decode;
 }
 
-export { AuthGatewayClient as A, BaseOAuthFlow as B, DesktopOAuthFlow as D, type GrantType as G, type OAuthConfig as O, type PKCEChallenge as P, type TokenStorageAdapter as T, TokenStorageWeb as a, ApiKeyStorageWeb as b, type TokenResponse as c, type DeviceCodeResponse as d, type AuthError as e, type AuthTokenType as f, type AuthValidationResult as g, type AuthGatewayClientConfig as h, type TokenExchangeOptions as i, type TokenExchangeResponse as j, TokenStorage as k, type ApiKeyData as l, ApiKeyStorage as m };
+export { ApiKeyStorageWeb as A, BaseOAuthFlow as B, DesktopOAuthFlow as D, type GrantType as G, type OAuthConfig as O, type PKCEChallenge as P, type TokenStorageAdapter as T, type AuthError as a, AuthGatewayClient as b, type AuthGatewayClientConfig as c, type AuthTokenType as d, type AuthValidationResult as e, type DeviceCodeResponse as f, type TokenExchangeOptions as g, type TokenExchangeResponse as h, type TokenResponse as i, TokenStorageWeb as j, type ApiKeyData as k, ApiKeyStorage as l, TokenStorage as m };

package/dist/{api-key-storage-web-J3W8nQi2.d.ts → api-key-storage-web-DUyiN9mC.d.ts}

@@ -106,7 +106,8 @@ declare class TokenStorage implements TokenStorageAdapter {
     private readonly storageKey;
     private readonly webEncryptionKeyStorage;
     private keytar;
-    constructor();
+    private keytarLoadAttempted;
+    private getKeytar;
     store(tokens: TokenResponse): Promise<void>;
     retrieve(): Promise<TokenResponse | null>;
     clear(): Promise<void>;
@@ -182,8 +183,9 @@ declare class ApiKeyStorage {
     private readonly legacyConfigKey;
     private readonly webEncryptionKeyStorage;
     private keytar;
+    private keytarLoadAttempted;
     private migrationCompleted;
-    constructor();
+    private getKeytar;
     /**
      * Initialize and migrate from legacy storage if needed
      */
@@ -235,8 +237,12 @@ declare class ApiKeyStorage {
     private base64Encode;
     private base64Decode;
     /**
-     * Normalize API keys to a SHA-256 hex digest.
-     * Accepts pre-hashed input and lowercases it to prevent double hashing.
+     * Normalize stored credentials without transforming their value.
+     *
+     * These secrets are stored in encrypted local storage/keychains and must remain
+     * usable for outbound authentication headers (for example X-API-Key or Bearer).
+     * Hashing here would make the original credential unrecoverable and break
+     * clients that need to send the raw key/token back to a remote service.
      */
     private normalizeApiKey;
 }
@@ -257,4 +263,4 @@ declare class ApiKeyStorageWeb {
     private base64Decode;
 }
 
-export { AuthGatewayClient as A, BaseOAuthFlow as B, DesktopOAuthFlow as D, type GrantType as G, type OAuthConfig as O, type PKCEChallenge as P, type TokenStorageAdapter as T, TokenStorageWeb as a, ApiKeyStorageWeb as b, type TokenResponse as c, type DeviceCodeResponse as d, type AuthError as e, type AuthTokenType as f, type AuthValidationResult as g, type AuthGatewayClientConfig as h, type TokenExchangeOptions as i, type TokenExchangeResponse as j, TokenStorage as k, type ApiKeyData as l, ApiKeyStorage as m };
+export { ApiKeyStorageWeb as A, BaseOAuthFlow as B, DesktopOAuthFlow as D, type GrantType as G, type OAuthConfig as O, type PKCEChallenge as P, type TokenStorageAdapter as T, type AuthError as a, AuthGatewayClient as b, type AuthGatewayClientConfig as c, type AuthTokenType as d, type AuthValidationResult as e, type DeviceCodeResponse as f, type TokenExchangeOptions as g, type TokenExchangeResponse as h, type TokenResponse as i, TokenStorageWeb as j, type ApiKeyData as k, ApiKeyStorage as l, TokenStorage as m };

package/dist/browser.d.cts

@@ -1,5 +1,5 @@
-import { O as OAuthConfig, T as TokenStorageAdapter } from './api-key-storage-web-J3W8nQi2.cjs';
-export { b as ApiKeyStorageWeb, e as AuthError, A as AuthGatewayClient, h as AuthGatewayClientConfig, f as AuthTokenType, g as AuthValidationResult, B as BaseOAuthFlow, D as DesktopOAuthFlow, d as DeviceCodeResponse, G as GrantType, P as PKCEChallenge, i as TokenExchangeOptions, j as TokenExchangeResponse, c as TokenResponse, a as TokenStorageWeb } from './api-key-storage-web-J3W8nQi2.cjs';
+import { O as OAuthConfig, T as TokenStorageAdapter } from './api-key-storage-web-DUyiN9mC.cjs';
+export { A as ApiKeyStorageWeb, a as AuthError, b as AuthGatewayClient, c as AuthGatewayClientConfig, d as AuthTokenType, e as AuthValidationResult, B as BaseOAuthFlow, D as DesktopOAuthFlow, f as DeviceCodeResponse, G as GrantType, P as PKCEChallenge, g as TokenExchangeOptions, h as TokenExchangeResponse, i as TokenResponse, j as TokenStorageWeb } from './api-key-storage-web-DUyiN9mC.cjs';
 
 interface MCPClientConfig extends Partial<OAuthConfig> {
     mcpEndpoint?: string;

package/dist/browser.d.ts

@@ -1,5 +1,5 @@
-import { O as OAuthConfig, T as TokenStorageAdapter } from './api-key-storage-web-J3W8nQi2.js';
-export { b as ApiKeyStorageWeb, e as AuthError, A as AuthGatewayClient, h as AuthGatewayClientConfig, f as AuthTokenType, g as AuthValidationResult, B as BaseOAuthFlow, D as DesktopOAuthFlow, d as DeviceCodeResponse, G as GrantType, P as PKCEChallenge, i as TokenExchangeOptions, j as TokenExchangeResponse, c as TokenResponse, a as TokenStorageWeb } from './api-key-storage-web-J3W8nQi2.js';
+import { O as OAuthConfig, T as TokenStorageAdapter } from './api-key-storage-web-DUyiN9mC.js';
+export { A as ApiKeyStorageWeb, a as AuthError, b as AuthGatewayClient, c as AuthGatewayClientConfig, d as AuthTokenType, e as AuthValidationResult, B as BaseOAuthFlow, D as DesktopOAuthFlow, f as DeviceCodeResponse, G as GrantType, P as PKCEChallenge, g as TokenExchangeOptions, h as TokenExchangeResponse, i as TokenResponse, j as TokenStorageWeb } from './api-key-storage-web-DUyiN9mC.js';
 
 interface MCPClientConfig extends Partial<OAuthConfig> {
     mcpEndpoint?: string;

package/dist/{constants-BOZ6jJU4.d.cts → constants-BZPTHasL.d.cts}

@@ -107,4 +107,4 @@ declare const DEFAULT_POLL_INTERVAL = 30000;
  */
 declare const DEFAULT_PROJECT_SCOPE = "lanonasis-maas";
 
-export { COOKIE_NAMES as C, DEFAULT_AUTH_GATEWAY as D, type SSOConfig as S, type UseSSOReturn as U, type SupabaseSession as a, type SSOSyncConfig as b, type UseSSOSyncReturn as c, type SSOUser as d, type SSOState as e, DEFAULT_COOKIE_DOMAIN as f, DEFAULT_POLL_INTERVAL as g, DEFAULT_PROJECT_SCOPE as h };
+export { COOKIE_NAMES as C, DEFAULT_AUTH_GATEWAY as D, type SSOConfig as S, type UseSSOReturn as U, type SupabaseSession as a, type SSOSyncConfig as b, type UseSSOSyncReturn as c, type SSOUser as d, DEFAULT_COOKIE_DOMAIN as e, DEFAULT_POLL_INTERVAL as f, DEFAULT_PROJECT_SCOPE as g, type SSOState as h };

package/dist/{constants-BOZ6jJU4.d.ts → constants-BZPTHasL.d.ts}

@@ -107,4 +107,4 @@ declare const DEFAULT_POLL_INTERVAL = 30000;
  */
 declare const DEFAULT_PROJECT_SCOPE = "lanonasis-maas";
 
-export { COOKIE_NAMES as C, DEFAULT_AUTH_GATEWAY as D, type SSOConfig as S, type UseSSOReturn as U, type SupabaseSession as a, type SSOSyncConfig as b, type UseSSOSyncReturn as c, type SSOUser as d, type SSOState as e, DEFAULT_COOKIE_DOMAIN as f, DEFAULT_POLL_INTERVAL as g, DEFAULT_PROJECT_SCOPE as h };
+export { COOKIE_NAMES as C, DEFAULT_AUTH_GATEWAY as D, type SSOConfig as S, type UseSSOReturn as U, type SupabaseSession as a, type SSOSyncConfig as b, type UseSSOSyncReturn as c, type SSOUser as d, DEFAULT_COOKIE_DOMAIN as e, DEFAULT_POLL_INTERVAL as f, DEFAULT_PROJECT_SCOPE as g, type SSOState as h };

package/dist/index.cjs

@@ -661,13 +661,25 @@ var TokenStorage = class {
   constructor() {
     this.storageKey = "lanonasis_mcp_tokens";
     this.webEncryptionKeyStorage = "lanonasis_web_token_enc_key";
-    if (this.isNode()) {
-      try {
-        this.keytar = require("keytar");
-      } catch (e) {
-        console.warn("Keytar not available - falling back to file storage");
-      }
+    this.keytar = null;
+    this.keytarLoadAttempted = false;
+  }
+  async getKeytar() {
+    if (!this.isNode()) {
+      return null;
     }
+    if (this.keytarLoadAttempted) {
+      return this.keytar;
+    }
+    this.keytarLoadAttempted = true;
+    try {
+      const keytarModule = await import("keytar");
+      this.keytar = keytarModule.default ?? keytarModule;
+    } catch {
+      this.keytar = null;
+      console.warn("Keytar not available - falling back to file storage");
+    }
+    return this.keytar;
   }
   async store(tokens) {
     const tokensWithTimestamp = {
@@ -676,8 +688,9 @@ var TokenStorage = class {
     };
     const tokenString = JSON.stringify(tokensWithTimestamp);
     if (this.isNode()) {
-      if (this.keytar) {
-        await this.keytar.setPassword("lanonasis-mcp", "tokens", tokenString);
+      const keytar = await this.getKeytar();
+      if (keytar) {
+        await keytar.setPassword("lanonasis-mcp", "tokens", tokenString);
       } else {
         await this.storeToFile(tokenString);
       }
@@ -694,8 +707,9 @@ var TokenStorage = class {
     let tokenString = null;
     try {
       if (this.isNode()) {
-        if (this.keytar) {
-          tokenString = await this.keytar.getPassword("lanonasis-mcp", "tokens");
+        const keytar = await this.getKeytar();
+        if (keytar) {
+          tokenString = await keytar.getPassword("lanonasis-mcp", "tokens");
         }
         if (!tokenString) {
           tokenString = await this.retrieveFromFile();
@@ -719,8 +733,9 @@ var TokenStorage = class {
   }
   async clear() {
     if (this.isNode()) {
-      if (this.keytar) {
-        await this.keytar.deletePassword("lanonasis-mcp", "tokens");
+      const keytar = await this.getKeytar();
+      if (keytar) {
+        await keytar.deletePassword("lanonasis-mcp", "tokens");
       }
       await this.deleteFile();
     } else if (this.isElectron()) {
@@ -965,14 +980,26 @@ var ApiKeyStorage = class {
     this.storageKey = "lanonasis_api_key";
     this.legacyConfigKey = "lanonasis_legacy_api_key";
     this.webEncryptionKeyStorage = "lanonasis_web_enc_key";
+    this.keytar = null;
+    this.keytarLoadAttempted = false;
     this.migrationCompleted = false;
-    if (this.isNode()) {
-      try {
-        this.keytar = require("keytar");
-      } catch (e) {
-        console.warn("Keytar not available - falling back to encrypted file storage");
-      }
+  }
+  async getKeytar() {
+    if (!this.isNode()) {
+      return null;
+    }
+    if (this.keytarLoadAttempted) {
+      return this.keytar;
+    }
+    this.keytarLoadAttempted = true;
+    try {
+      const keytarModule = await import("keytar");
+      this.keytar = keytarModule.default ?? keytarModule;
+    } catch {
+      this.keytar = null;
+      console.warn("Keytar not available - falling back to encrypted file storage");
     }
+    return this.keytar;
   }
   /**
    * Initialize and migrate from legacy storage if needed
@@ -992,9 +1019,10 @@ var ApiKeyStorage = class {
     };
     const keyString = JSON.stringify(dataWithTimestamp);
     if (this.isNode()) {
-      if (this.keytar) {
+      const keytar = await this.getKeytar();
+      if (keytar) {
         try {
-          await this.keytar.setPassword("lanonasis-mcp", this.storageKey, keyString);
+          await keytar.setPassword("lanonasis-mcp", this.storageKey, keyString);
           return;
         } catch (error) {
           console.warn("Keytar storage failed, falling back to file:", error);
@@ -1017,9 +1045,10 @@ var ApiKeyStorage = class {
     let keyString = null;
     try {
       if (this.isNode()) {
-        if (this.keytar) {
+        const keytar = await this.getKeytar();
+        if (keytar) {
           try {
-            keyString = await this.keytar.getPassword("lanonasis-mcp", this.storageKey);
+            keyString = await keytar.getPassword("lanonasis-mcp", this.storageKey);
           } catch (error) {
             console.warn("Keytar retrieval failed, trying file:", error);
           }
@@ -1077,9 +1106,10 @@ var ApiKeyStorage = class {
    */
   async clear() {
     if (this.isNode()) {
-      if (this.keytar) {
+      const keytar = await this.getKeytar();
+      if (keytar) {
         try {
-          await this.keytar.deletePassword("lanonasis-mcp", this.storageKey);
+          await keytar.deletePassword("lanonasis-mcp", this.storageKey);
         } catch (error) {
           console.warn("Keytar deletion failed:", error);
         }
@@ -1381,26 +1411,19 @@ var ApiKeyStorage = class {
     throw new Error("No base64 decoder available");
   }
   /**
-   * Normalize API keys to a SHA-256 hex digest.
-   * Accepts pre-hashed input and lowercases it to prevent double hashing.
+   * Normalize stored credentials without transforming their value.
+   *
+   * These secrets are stored in encrypted local storage/keychains and must remain
+   * usable for outbound authentication headers (for example X-API-Key or Bearer).
+   * Hashing here would make the original credential unrecoverable and break
+   * clients that need to send the raw key/token back to a remote service.
    */
   async normalizeApiKey(apiKey) {
     const value = apiKey?.trim();
     if (!value) {
       throw new Error("API key must be a non-empty string");
     }
-    if (/^[a-f0-9]{64}$/i.test(value)) {
-      return value.toLowerCase();
-    }
-    if (typeof globalThis !== "undefined" && globalThis.crypto?.subtle) {
-      const encoder = new TextEncoder();
-      const data = encoder.encode(value);
-      const hashBuffer = await globalThis.crypto.subtle.digest("SHA-256", data);
-      const hashArray = Array.from(new Uint8Array(hashBuffer));
-      return hashArray.map((b) => b.toString(16).padStart(2, "0")).join("");
-    }
-    const nodeCrypto = await import("crypto");
-    return nodeCrypto.createHash("sha256").update(value).digest("hex");
+    return value;
   }
 };
 

package/dist/index.d.cts

@@ -1,5 +1,5 @@
-import { B as BaseOAuthFlow, O as OAuthConfig, c as TokenResponse, T as TokenStorageAdapter } from './api-key-storage-web-J3W8nQi2.cjs';
-export { l as ApiKeyData, m as ApiKeyStorage, b as ApiKeyStorageWeb, e as AuthError, A as AuthGatewayClient, h as AuthGatewayClientConfig, f as AuthTokenType, g as AuthValidationResult, D as DesktopOAuthFlow, d as DeviceCodeResponse, G as GrantType, P as PKCEChallenge, i as TokenExchangeOptions, j as TokenExchangeResponse, k as TokenStorage, a as TokenStorageWeb } from './api-key-storage-web-J3W8nQi2.cjs';
+import { B as BaseOAuthFlow, O as OAuthConfig, i as TokenResponse, T as TokenStorageAdapter } from './api-key-storage-web-DUyiN9mC.cjs';
+export { k as ApiKeyData, l as ApiKeyStorage, A as ApiKeyStorageWeb, a as AuthError, b as AuthGatewayClient, c as AuthGatewayClientConfig, d as AuthTokenType, e as AuthValidationResult, D as DesktopOAuthFlow, f as DeviceCodeResponse, G as GrantType, P as PKCEChallenge, g as TokenExchangeOptions, h as TokenExchangeResponse, m as TokenStorage, j as TokenStorageWeb } from './api-key-storage-web-DUyiN9mC.cjs';
 
 declare class TerminalOAuthFlow extends BaseOAuthFlow {
     private pollInterval;

package/dist/index.d.ts

@@ -1,5 +1,5 @@
-import { B as BaseOAuthFlow, O as OAuthConfig, c as TokenResponse, T as TokenStorageAdapter } from './api-key-storage-web-J3W8nQi2.js';
-export { l as ApiKeyData, m as ApiKeyStorage, b as ApiKeyStorageWeb, e as AuthError, A as AuthGatewayClient, h as AuthGatewayClientConfig, f as AuthTokenType, g as AuthValidationResult, D as DesktopOAuthFlow, d as DeviceCodeResponse, G as GrantType, P as PKCEChallenge, i as TokenExchangeOptions, j as TokenExchangeResponse, k as TokenStorage, a as TokenStorageWeb } from './api-key-storage-web-J3W8nQi2.js';
+import { B as BaseOAuthFlow, O as OAuthConfig, i as TokenResponse, T as TokenStorageAdapter } from './api-key-storage-web-DUyiN9mC.js';
+export { k as ApiKeyData, l as ApiKeyStorage, A as ApiKeyStorageWeb, a as AuthError, b as AuthGatewayClient, c as AuthGatewayClientConfig, d as AuthTokenType, e as AuthValidationResult, D as DesktopOAuthFlow, f as DeviceCodeResponse, G as GrantType, P as PKCEChallenge, g as TokenExchangeOptions, h as TokenExchangeResponse, m as TokenStorage, j as TokenStorageWeb } from './api-key-storage-web-DUyiN9mC.js';
 
 declare class TerminalOAuthFlow extends BaseOAuthFlow {
     private pollInterval;

package/dist/index.mjs

@@ -622,13 +622,25 @@ var TokenStorage = class {
   constructor() {
     this.storageKey = "lanonasis_mcp_tokens";
     this.webEncryptionKeyStorage = "lanonasis_web_token_enc_key";
-    if (this.isNode()) {
-      try {
-        this.keytar = __require("keytar");
-      } catch (e) {
-        console.warn("Keytar not available - falling back to file storage");
-      }
+    this.keytar = null;
+    this.keytarLoadAttempted = false;
+  }
+  async getKeytar() {
+    if (!this.isNode()) {
+      return null;
     }
+    if (this.keytarLoadAttempted) {
+      return this.keytar;
+    }
+    this.keytarLoadAttempted = true;
+    try {
+      const keytarModule = await import("keytar");
+      this.keytar = keytarModule.default ?? keytarModule;
+    } catch {
+      this.keytar = null;
+      console.warn("Keytar not available - falling back to file storage");
+    }
+    return this.keytar;
   }
   async store(tokens) {
     const tokensWithTimestamp = {
@@ -637,8 +649,9 @@ var TokenStorage = class {
     };
     const tokenString = JSON.stringify(tokensWithTimestamp);
     if (this.isNode()) {
-      if (this.keytar) {
-        await this.keytar.setPassword("lanonasis-mcp", "tokens", tokenString);
+      const keytar = await this.getKeytar();
+      if (keytar) {
+        await keytar.setPassword("lanonasis-mcp", "tokens", tokenString);
       } else {
         await this.storeToFile(tokenString);
       }
@@ -655,8 +668,9 @@ var TokenStorage = class {
     let tokenString = null;
     try {
       if (this.isNode()) {
-        if (this.keytar) {
-          tokenString = await this.keytar.getPassword("lanonasis-mcp", "tokens");
+        const keytar = await this.getKeytar();
+        if (keytar) {
+          tokenString = await keytar.getPassword("lanonasis-mcp", "tokens");
         }
         if (!tokenString) {
           tokenString = await this.retrieveFromFile();
@@ -680,8 +694,9 @@ var TokenStorage = class {
   }
   async clear() {
     if (this.isNode()) {
-      if (this.keytar) {
-        await this.keytar.deletePassword("lanonasis-mcp", "tokens");
+      const keytar = await this.getKeytar();
+      if (keytar) {
+        await keytar.deletePassword("lanonasis-mcp", "tokens");
       }
       await this.deleteFile();
     } else if (this.isElectron()) {
@@ -926,14 +941,26 @@ var ApiKeyStorage = class {
     this.storageKey = "lanonasis_api_key";
     this.legacyConfigKey = "lanonasis_legacy_api_key";
     this.webEncryptionKeyStorage = "lanonasis_web_enc_key";
+    this.keytar = null;
+    this.keytarLoadAttempted = false;
     this.migrationCompleted = false;
-    if (this.isNode()) {
-      try {
-        this.keytar = __require("keytar");
-      } catch (e) {
-        console.warn("Keytar not available - falling back to encrypted file storage");
-      }
+  }
+  async getKeytar() {
+    if (!this.isNode()) {
+      return null;
+    }
+    if (this.keytarLoadAttempted) {
+      return this.keytar;
+    }
+    this.keytarLoadAttempted = true;
+    try {
+      const keytarModule = await import("keytar");
+      this.keytar = keytarModule.default ?? keytarModule;
+    } catch {
+      this.keytar = null;
+      console.warn("Keytar not available - falling back to encrypted file storage");
     }
+    return this.keytar;
   }
   /**
    * Initialize and migrate from legacy storage if needed
@@ -953,9 +980,10 @@ var ApiKeyStorage = class {
     };
     const keyString = JSON.stringify(dataWithTimestamp);
     if (this.isNode()) {
-      if (this.keytar) {
+      const keytar = await this.getKeytar();
+      if (keytar) {
         try {
-          await this.keytar.setPassword("lanonasis-mcp", this.storageKey, keyString);
+          await keytar.setPassword("lanonasis-mcp", this.storageKey, keyString);
           return;
         } catch (error) {
           console.warn("Keytar storage failed, falling back to file:", error);
@@ -978,9 +1006,10 @@ var ApiKeyStorage = class {
     let keyString = null;
     try {
       if (this.isNode()) {
-        if (this.keytar) {
+        const keytar = await this.getKeytar();
+        if (keytar) {
           try {
-            keyString = await this.keytar.getPassword("lanonasis-mcp", this.storageKey);
+            keyString = await keytar.getPassword("lanonasis-mcp", this.storageKey);
           } catch (error) {
             console.warn("Keytar retrieval failed, trying file:", error);
           }
@@ -1038,9 +1067,10 @@ var ApiKeyStorage = class {
    */
   async clear() {
     if (this.isNode()) {
-      if (this.keytar) {
+      const keytar = await this.getKeytar();
+      if (keytar) {
         try {
-          await this.keytar.deletePassword("lanonasis-mcp", this.storageKey);
+          await keytar.deletePassword("lanonasis-mcp", this.storageKey);
         } catch (error) {
           console.warn("Keytar deletion failed:", error);
         }
@@ -1342,26 +1372,19 @@ var ApiKeyStorage = class {
     throw new Error("No base64 decoder available");
   }
   /**
-   * Normalize API keys to a SHA-256 hex digest.
-   * Accepts pre-hashed input and lowercases it to prevent double hashing.
+   * Normalize stored credentials without transforming their value.
+   *
+   * These secrets are stored in encrypted local storage/keychains and must remain
+   * usable for outbound authentication headers (for example X-API-Key or Bearer).
+   * Hashing here would make the original credential unrecoverable and break
+   * clients that need to send the raw key/token back to a remote service.
    */
   async normalizeApiKey(apiKey) {
     const value = apiKey?.trim();
     if (!value) {
       throw new Error("API key must be a non-empty string");
     }
-    if (/^[a-f0-9]{64}$/i.test(value)) {
-      return value.toLowerCase();
-    }
-    if (typeof globalThis !== "undefined" && globalThis.crypto?.subtle) {
-      const encoder = new TextEncoder();
-      const data = encoder.encode(value);
-      const hashBuffer = await globalThis.crypto.subtle.digest("SHA-256", data);
-      const hashArray = Array.from(new Uint8Array(hashBuffer));
-      return hashArray.map((b) => b.toString(16).padStart(2, "0")).join("");
-    }
-    const nodeCrypto = await import("crypto");
-    return nodeCrypto.createHash("sha256").update(value).digest("hex");
+    return value;
   }
 };
 

package/dist/react/index.d.cts

@@ -1,5 +1,5 @@
-import { S as SSOConfig, U as UseSSOReturn, a as SupabaseSession, b as SSOSyncConfig, c as UseSSOSyncReturn, d as SSOUser } from '../constants-BOZ6jJU4.cjs';
-export { C as COOKIE_NAMES, D as DEFAULT_AUTH_GATEWAY, f as DEFAULT_COOKIE_DOMAIN, g as DEFAULT_POLL_INTERVAL, h as DEFAULT_PROJECT_SCOPE, e as SSOState } from '../constants-BOZ6jJU4.cjs';
+import { S as SSOConfig, U as UseSSOReturn, a as SupabaseSession, b as SSOSyncConfig, c as UseSSOSyncReturn, d as SSOUser } from '../constants-BZPTHasL.cjs';
+export { C as COOKIE_NAMES, D as DEFAULT_AUTH_GATEWAY, e as DEFAULT_COOKIE_DOMAIN, f as DEFAULT_POLL_INTERVAL, g as DEFAULT_PROJECT_SCOPE, h as SSOState } from '../constants-BZPTHasL.cjs';
 
 /**
  * React hook for SSO authentication state

package/dist/react/index.d.ts

@@ -1,5 +1,5 @@
-import { S as SSOConfig, U as UseSSOReturn, a as SupabaseSession, b as SSOSyncConfig, c as UseSSOSyncReturn, d as SSOUser } from '../constants-BOZ6jJU4.js';
-export { C as COOKIE_NAMES, D as DEFAULT_AUTH_GATEWAY, f as DEFAULT_COOKIE_DOMAIN, g as DEFAULT_POLL_INTERVAL, h as DEFAULT_PROJECT_SCOPE, e as SSOState } from '../constants-BOZ6jJU4.js';
+import { S as SSOConfig, U as UseSSOReturn, a as SupabaseSession, b as SSOSyncConfig, c as UseSSOSyncReturn, d as SSOUser } from '../constants-BZPTHasL.js';
+export { C as COOKIE_NAMES, D as DEFAULT_AUTH_GATEWAY, e as DEFAULT_COOKIE_DOMAIN, f as DEFAULT_POLL_INTERVAL, g as DEFAULT_PROJECT_SCOPE, h as SSOState } from '../constants-BZPTHasL.js';
 
 /**
  * React hook for SSO authentication state

package/dist/server/index.d.cts

@@ -1,5 +1,5 @@
-import { d as SSOUser } from '../constants-BOZ6jJU4.cjs';
-export { C as COOKIE_NAMES, D as DEFAULT_AUTH_GATEWAY, f as DEFAULT_COOKIE_DOMAIN, h as DEFAULT_PROJECT_SCOPE } from '../constants-BOZ6jJU4.cjs';
+import { d as SSOUser } from '../constants-BZPTHasL.cjs';
+export { C as COOKIE_NAMES, D as DEFAULT_AUTH_GATEWAY, e as DEFAULT_COOKIE_DOMAIN, g as DEFAULT_PROJECT_SCOPE } from '../constants-BZPTHasL.cjs';
 
 /**
  * Server-side types for SSO authentication

package/dist/server/index.d.ts

@@ -1,5 +1,5 @@
-import { d as SSOUser } from '../constants-BOZ6jJU4.js';
-export { C as COOKIE_NAMES, D as DEFAULT_AUTH_GATEWAY, f as DEFAULT_COOKIE_DOMAIN, h as DEFAULT_PROJECT_SCOPE } from '../constants-BOZ6jJU4.js';
+import { d as SSOUser } from '../constants-BZPTHasL.js';
+export { C as COOKIE_NAMES, D as DEFAULT_AUTH_GATEWAY, e as DEFAULT_COOKIE_DOMAIN, g as DEFAULT_PROJECT_SCOPE } from '../constants-BZPTHasL.js';
 
 /**
  * Server-side types for SSO authentication

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lanonasis/oauth-client",
-  "version": "2.0.0",
+  "version": "2.0.4",
   "type": "module",
   "description": "OAuth and API Key authentication client for Lan Onasis MCP integration",
   "license": "MIT",
@@ -43,6 +43,27 @@
       "types": "./dist/server/index.d.ts",
       "import": "./dist/server/index.mjs",
       "require": "./dist/server/index.cjs"
+    },
+    "./cookies": {
+      "types": "./dist/cookies/constants.d.ts",
+      "import": "./dist/cookies/constants.mjs",
+      "require": "./dist/cookies/constants.cjs"
+    }
+  },
+  "typesVersions": {
+    "*": {
+      "browser": [
+        "./dist/browser.d.ts"
+      ],
+      "react": [
+        "./dist/react/index.d.ts"
+      ],
+      "server": [
+        "./dist/server/index.d.ts"
+      ],
+      "cookies": [
+        "./dist/cookies/constants.d.ts"
+      ]
     }
   },
   "scripts": {
@@ -63,25 +84,30 @@
     "desktop"
   ],
   "dependencies": {
-    "cross-fetch": "^4.0.0",
-    "eventsource": "^2.0.2",
+    "cross-fetch": "^4.1.0",
+    "eventsource": "^4.1.0",
     "keytar": "^7.9.0",
-    "open": "^9.1.0"
+    "open": "^11.0.0"
   },
   "devDependencies": {
-    "@eslint/js": "^9.17.0",
-    "@types/node": "^20.0.0",
-    "@types/react": "^19.0.0",
-    "@vitest/coverage-v8": "^2.0.0",
-    "eslint": "^9.17.0",
-    "globals": "^16.4.0",
-    "tsup": "^8.5.0",
-    "typescript": "^5.3.3",
-    "typescript-eslint": "^8.18.1",
-    "vitest": "^2.0.0"
+    "@eslint/js": "^10.0.1",
+    "@types/node": "^25.5.0",
+    "@types/react": "^19.2.14",
+    "@vitest/coverage-v8": "^4.1.2",
+    "eslint": "^10.1.0",
+    "globals": "^17.4.0",
+    "tsup": "^8.5.1",
+    "typescript": "^5.9.3",
+    "typescript-eslint": "^8.57.2",
+    "vitest": "^4.1.2"
+  },
+  "overrides": {
+    "flatted": "^3.4.0",
+    "picomatch": "^4.0.4",
+    "rollup": "^4.59.0"
   },
   "peerDependencies": {
-    "@supabase/supabase-js": "^2.0.0",
+    "@supabase/supabase-js": "^2.100.1",
     "react": "^18.0.0 || ^19.0.0"
   },
   "peerDependenciesMeta": {